In addition to the security measures already shown in previous blogs, HIPAA asks that health establishments have policies, procedures, and documents in their organization and that all are properly kept and updated to meet security requirements.

HIPAA considers as an associate or third party any person or company (other than an employee of the health establishment in question) that performs functions for the health establishment, for example, agreements and plans.

Business associate or third party contracts

HIPAA requires that all associates or third parties who may have possible contact with patients' health information have confidentiality contracts where they assume responsibility in the event of information leakage, loss, or tampering.

Contracts must make it clear that associates or third parties will:

  • Implement appropriate and reasonable administrative, physical and technical security measures, which appropriately protect the confidentiality, integrity, and viability of health information electronically,
  • Ensure that any agent, even if subcontracted, understands that the information must be safeguarded by him in the same way,
  • Report any security breach to the contracting health establishment,
  • And that the contract can be canceled if it is proven that the contractor violated the information or other terms of the contract.

Group of Health Plans requirements

The documents referring to the group health plan must incorporate provisions that:

  • Implement administrative, physical, and technical security measures that appropriately protect the confidentiality, integrity, and viability of health data inserted in electronic media, which are created, received, maintained, or transmitted on behalf of the group of health plans;
  • Ensure that any employee, including subcontractors and contractors, who have access to confidential health information agrees to take the necessary steps to ensure information security;
  • Report any security problems detected to the health plan.

Policy, procedure, and document requirements

Implement reasonable and appropriate policies and procedures that comply with the security rules previously exposed and new requirements that may arise in the scope of data security.

The specifications in this topic cannot be created with a view to actions that allow violating or making excuses for violating health data protected by law. Health plans can change their policies, procedures, and documents when they see fit, as long as all changes continue to comply with the rules.


The document measure requires that, even in electronic form, the documents created must follow security guidelines, and if any other action is necessary, it must be documented.

The documents created must be kept for 6 years, regardless of whether they are still valid or not, this rule is called "time limit".  These six years are the minimum time for keeping these documents but can be extended if the health plan deems it necessary.

Viability of the documents says that employees who need access to documents must have access whenever necessary, whether these documents are printed or electronically.

The documents must undergo periodic reviews and, if necessary, be updated, the period of these reviews and updates being free for each health plan and establishment, as internal operations change, always maintaining the security of information.

Source: HHS